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(54) Authentication method and apparatus using pairing functions for the elliptic curves based 
cryptosystems 

(57) A first party (60) has a first (Sj) and a second 
( p > r tai) cryptographic key. A second party (70) has a 
third ("TA2°) and a fourth (s 1 O rA2 ) cryptographic key, the 
fourth cryptographic key (S, Q^) being derived from the 
first (s A ) and third ("TA2") cryptographic keys thereby 
providing an association between the parties (60,70). To 
enable a third party (90) to verify the existence of an 
association between the first and second parties 
(60,70), the second party generates a number (/) that in 
association with the second cryptographic key (P,R TA1 ), 
the third cryptographic key ('TA2") and the fourth 
( S 1°TA2) cryptographic key define a first cryptographic 
parameter (X), a second cryptographic parameter (Y) 
and a third cryptographic parameter (2) respectively. By 
using these parameters and the second and third cryp- 
tographic keys, the third party (90) can verify if the first 
and second parties (60,70) are associated. 





Figure 3 
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Description 

Field of the Invention 

5 [0001 ] The present invention relates to a method and apparatus for use relation to verifying an association between 
two parties by cryptographic techniques; in particular, but not exclusively, the present invention relates to a method 
and apparatus for enabling the verification, and/or for verifying, an association between a lower-level trusted authority 
and a higher-level trusted authority in a hierarchy of trusted authorities by using elliptic curve cryptography. 

10 Background of the Invention 

[0002] With the ever-increasing spread of electronic communication and electronic identification there has been a 
corresponding increase in demand for cryptographic processes, where users require cryptographic processes to enable 
encryption of data for security purposes and/or for the purposes of providing identification. 

is [0003] Typically encryption keys are certified by trusted authorises and disseminated using digital certificates where, 
to allow wide spread availability of cryptographic processes, a hierarchy of trusted authorities exist. Within a hierarchy 
of trusted authorities a root trusted authority issues a digital certificate to a private/public key to a second level trusted 
authority by using the root authorities private key to sign the second level's trusted authorities public key and thereby 
providing confirmation that the second level private key is authorized by the root authority. Correspondingly the second 

20 level trusted authority issues a digital certificate to a different private/public key to a third level trusted authority that is 
signed with the second level's private key and so forth. However, for a user to determine that the public key associated 
with the third level trusted authority is derived with the authority of the root trusted authority it is necessary for the user 
to trace the digital certificates that incorporated the various public keys. 
[0004] It is desirable to improve this situation. 

25 [0005] Embodiments of the present invention to be described hereinafter make use of cryptographic techniques 
using bilinear mappings. Accordingly, a brief description will now be given of certain such prior art techniques. 
[0006] In the present specification, G 1 and G 2 denote two algebraic groups of prime order q in which the discrete 
logarithm problem is believed to be hard and for which there exists a computable bilinear mapp , for example, a Tate 
pairing t or Weil pairing e. Thus, for the Weil pairing: 

30 

e: G 1 x G 1 -> G 2 

where G 2 is a subgroup of a multiplicative group of a finite field. The Tate pairing can be similarly expressed though it 
35 is possible for it to be of asymmetric form: 

t: G 0 x G 1 -> G 2 

40 where G 0 is a further algebraic group the elements of which are not restricted to being of order q. Generally, the 
elements of the groups G 0 and G 1 are points on an elliptic curve though this is not necessarily the case. 
[0007] As is well known to persons skilled in the art, for cryptographic purposes, a modified form of the Weil pairing 
is used that ensure p (P,P) * 1 where P e G 1 ; however, for convenience, the pairing is referred to below simply by its 
usual name without labeling it as modified. Further background regarding Weil and Tate pairings and their cryptographic 

45 uses can be found in the following references: 

- G. Frey, M. Muller, and H. Ruck. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. 
IEEE Transactions on information Theory, 45(5):1717-1719, 1999. 

D. Bon eh and M. Franklin. Identity based encryption from the Weil pairing. In Advances in Cryptology - CRYPTO 
so 2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001 . 

[0008] For convenience, the examples given below assume the use of a symmetric bilinear map (p: G t x G 1 -> G 2 ) 
with the elements of G 1 being points on an elliptic curve; however, these particularities, are not to be taken as limitations 
on the scope of the present invention. 
55 [0009] As the mapping between Gj and G 2 is bilinear exponents/multipliers can be moved around. For example if 
a, b, c G F q and P.OgG, then 
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t(aP, bQf = t{aP, cQ) b = t(bP, cQf = t(bP, aQ) c = t(cP, aQ) b = t(cP, bQ) a 
= t(abP, Qf = t{abP, cQ) = t{P, abQ) e = t(cP, abQ) 



5 



- t(abcP, Q) = t{P, abcQ) 



KP Q)' 



fibc 
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[0010] Additionally, the following cn/ptographic hash functions are defined: 



Hi 



15 



H 2 :{0,ir^ F q 



20 



H 3 :G 2 ^{0,ir 



[001 1] A normal public/private key pair can be defined for a trusted authority: 

the private key is s where s G F q 
25 the public key is (P, R) where P G G 1 and R G G1 , with R=sP 

[0012] Additionally, an identifier based public key / private key pair can be defined for a party with the cooperation 
of the trusted authority. As is well known to persons skilled in the art, in "identifier-based" cryptographic methods a 
public, cryptographically unconstrained, string is used in conjunction with public data of a trusted authority to carry out 

30 tasks such as data encryption or signing. The complementary tasks, such as decryption and signature verification, 
require the involvement ofthe trusted authority to carry out computation based on the public string and its own private 
data. Frequently, the string serves to "identify" the intended message recipient and this has given rise to the use of the 
label "identifier-based" or "identity-based" generally for these cryptographic methods. However, depending on the ap- 
plication to which such a cryptographic method is put, the string may serve a different purpose to that of identifying the 

35 intended recipient and, indeed, may be an arbitrary string having no other purpose than to form the basis of the cryp- 
tographic processes. Accordingly, the use of the term "identifier-based u herein in relation to cryptographic methods 
and systems is to be understood simply as implying that the methods and systems are based on the use of a crypto- 
graphically unconstrained string whether or not the string serves to identify the intended recipient. Furthermore, as 
used herein the term "string" is simply intended to imply an ordered series of bits whether derived from a character 

40 string, a serialized image bit map, a digitized sound signal, or any other data source. 

[0013] In the present case, the identifier-based public / private key pair defined for the party has a public key Q lD 
and private key S, D where Q |D , S, D e G t The trusted authority's normal public/private key pair (P,R/s) is linked with the 
identifier-based public/private key by 



where ID is the identifier string for the party. 

[0014] Some typical uses for the above described key pairs will now be given with reference to Figure 1 of the 
50 accompanying drawings that depicts a trusted authority 10 with a public key (P, sP) and a private key s. A party A 
serves as a general third party whilst for the identifier-based cryptographic tasks (IBC) described, a party B has an 
IBC public key Q, D and an IBC private key S (D . 

[0015] Standard Signatures (see dashed box 2): The holder of the private key s (that is, the trusted authority 1 or 
anyone to whom the latter has disclosed s) can uses to sign a bit string; more particularly, where m denotes a message 
55 to be signed, the holder of s computes: 



45 



sO ID and O ID = H, (ID) 



V= sH,(m). 
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[0016] Verification by party A involves this party checking that the following equation is satisfied: 



«P > V)-<(/? f H 1 (/n)) 

5 

[0017] This is based upon the mapping between G 1 and G 2 being bilinear exponents/multipliers, as described above. 
That is to say, 

10 t(P,V) = t(P,sHi(m)) 

= t(P,H x {m)Y 
= t{sP,H x (m)) 



15 



[0018] Identifier-Based Encryption (see dashed box 3): - Identifier based encryption allows the holder of the private 
20 key S, D of an identifier based key pair (in this case, party B) to decrypt a message sent to them encrypted (by party 
A) using B's public key Q ID . 

[0019] More particularly, party A, in order to encrypt a message m, first computes: 



25 



U= rP 

where ris a random element of F^. Next, party A computes: 

30 V = m®Hs(t(R,rQ lD )) 

[0020] Party A now has the ciphertext elements U and V which it sends to party B. 
[0021] Decryption of the message by party B is performed by computing: 

35 

V® H3 (t(U 9 Sv> )) = V 0 HMrP, *Qid)) 
= V® HMP. QmT) 

40 =V® HMsP>rQm)) 

= m 



45 



50 



55 



[0022] Identifier-Based Signatures (see dashed box 4) : - Identifier based signatures using Tate pairing can be im- 
plemented. For example: 



Party B first computes: 



where k is a random element of F q . 



r= r(S lD F) k 



Party B then apply the hash function H 2 to m II r (concatenation of m and r) to obtain: 
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h = H 2 {m\\r). 

[0023] Thereafter party B computes 

5 

U=(k-h)S i0 

thus generating the output U and h as the signature on the message m. 
io [0024] Verification of the signature by party A can be established by computing: 

r'=t(U,P)*t(Q lDt R) h 

'5 where the signature can only be accepted if h = H 2 (m II r). 

[0025] It will be recalled that the problem discussed at the outset was how a third party could verify the associations 
between trusted authorities arranged in a hierarchy without having to follow a trail of certificates. In fact, the above- 
described IBC encryption/decryption method offers one possible solution. Consider the situation where a trusted au- 
thority at one level in the hierarchy has an IBC public key Q, D / private key Sj D pair with the private key being provided 

20 by a trusted authority in the next level up on the basis of the ID of the lower-level trusted authority and the private key 
s of a normal public key (P t sP)J private keys pair held by the higher-level trusted authority. A third party could then 
check that the lower-level trusted authority was associated with the higher level one by an IBC-based challenge/re- 
sponse mechanism. More particularly, the third party could encrypt a nonce (random number) using both the public 
key element sP of the higher-level trusted authority and the IBC public key Q lD of the lower-level trusted authority. The 

25 third party sends the encrypted nonce to the lower- level trusted authority and asks it to decrypt and return the nonce 
- the lower-level trusted authority will only be able to do this if it has (or can get) the key S, D (= sQ, D ) from the higher- 
level trusted authority. Thus, if the lower-level trusted authority can return the decrypted nonce, the association between 
the lower-level trusted authority and the higher level trusted authority is proved. Whilst this approach is viable, it involves 
an exchange of messages between the third party and the lower-level trusted authority and also (if the lower-level 

30 trusted authority does not already have its IBC private key) between the lower-level trusted authority and the higher- 
level trusted authority. In many situation this may either not be possible or undesirable- for example, the third party 
may wish to check the association between the trusted authorities offline or the third party may not wish to let it be 
known that it is carrying out the check. 

[0026] It is an object of the present invention to provide a way of checking the association between two parties that 
35 obviates at least some of the difficulties noted above. 

Summary of the Invention 

[0027] According to a first aspect of the present invention, there is provided a method of enabling a third party to 
40 verify an association between a first party associated with a first element, of a first algebraic group, and a second party 
associated with a second element, of a second algebraic group, formed from an identifier string of the second party, 
wherein: 

there exists a computable bilinear map for the first and second elements; 
45 - the first party has a first secret and computes a first product from the first secret and the first element; 

the second party has both a second secret, and a shared secret provided by the first party as the product of the 
first secret and the second element; 

the second party computes first, second and third verification parameters as the product of the second secret with 
said shared secret, the second element and the first element respectively. 

50 

[0028] Using the non-secret data elements and a function p providing the bilinear mapping, a third party can verify 
the existence of an association between first and second parties by: 

computing the second element from the identifier string of the second party; 
55 - carrying out a first check: 

p(third verification parameter, computed second element) 
= p(first element, second verification parameter) 
carries out a second check: 
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p (first element, first verification parameter) 

= p(first product, second verification parameter) 
the association between the first and second parties being treated as verified if both checks are passed. 

5 [0029] According to a second aspect of the present invention, there is provided a method of verifying an association 
between a first party associated with a first element, of a first algebraic group, and a second party associated with a 
second element, of a second algebraic group; the first and second elements being such that there exists a bilinear 
mapping p for these elements; the method comprising carrying out the following operations: 



10 - receiving both data indicative of said first element, and a first product formed by the first party from a first secret 
and the first element; 

receiving in respect of the second party both an identifier string, and first, second and third verification parameters; 
computing the second element from the identifier string of the second party; 
carrying out a first check: 
15 p(third verification parameter, computed second element ) 

= p(first element, second verification parameter) 
carrying out a second check: 

p (first element, first verification parameter) 

= p(first product, second verification parameter) 
20 the association between the first and second parties being treated as verified if both checks are passed. 

[0030] According to a third aspect of the present invention, there is provided apparatus arranged to enable a third 
party to verify an association between the apparatus and a first party that has a first secret and is associated with a 
first element, of a first algebraic group; the apparatus being associated with a second element, of a second algebraic 
25 group, and the first and second elements being such that there exists a bilinear mapping p for these elements; the 
apparatus comprising: 

a memory for holding a second secret and an Identifier string associated with the apparatus, 
means for forming said second element from said identifier string, 
30 - means for receiving from the first party a shared secret based on said first secret and said first element, and for 
storing this shared secret in the memory, 

means for computing first, second and third verification parameters as the product of the second secret with said 

shared secret, said second element and said first element respectively, and 

means for making available said identifier string and said verification parameters to the third party. 

35 

[0031] According to a fourth aspect of the present invention, there is provided apparatus for verifying an association 
between a first party associated with a first element, of a first algebraic group, and a second party associated with a 
second element, of a second algebraic group; the first and second elements being such that there exists a bilinear 
mapping p for these elements; the apparatus comprising: 

40 

means for receiving both data indicative of the first element, and a first product formed by the first party from a 
first secret and the first element: 



means for receiving in respect of the second party both an identifier string, and first, second and third verification 
45 parameters; 

means for computing the second element from the identifier string of the second party; 
means for carrying out a first check: 

p(third verification parameter, computed second element) 
= p(first element, second verification parameter) 
so - means for carrying out a second check: 

p (first element, first verification parameter) 

= p(first product, second verification parameter) 
means responsive to both checks being passed, to confirm that there exists an association between the first and 
second parties. 

55 

[0032] The present invention also encompasses computer program products both for providing verification param- 
eters enabling verification of an association between two parties, and for carrying out a verification check using these 
parameters. 



6 



EP 1 378 821 A2 



Brief Description of the Drawings 

[0033] Embodiments of the invention will now be described, by way of non-limiting example, with reference to the 
accompanying diagrammatic drawings, in which: 

5 

Figure 1 is a diagram showing prior art cryptographic processes based on elliptic curve cryptography using Tate 
pairings; 

Figure 2 is a diagram illustrating a first embodiment of the invention illustrating for generalized first and second 
parties, how a third party can verify an association between first and second parties; 
10 . Figure 3 is a diagram of a second embodiment involving a hierarchy of a first-level trusted authority and a second- 
level trusted authority; and 

Figure 4 is a diagram of a third embodiment involving an n-level hierarchy of trusted authorities. 



15 
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Best Mode of Carrying Out the Invention 



[0034] Considering first the situation where there is an association between a first party and a second party which 
the second party would like to be able to prove to a third party; the nature of the association concerned is not relevant 
to the present discussion but could, for example, be a trust relationship (e.g. the second party is trusted to act on behalf 
of the first party in respect of certain matters) or simply a biological relationship (e.g. the first party is a parent and the 

20 second is a child of the first party). 

[0035] In order to enable the second party to prove this association, the first party provides the second party with a 
secret, herein referred to as a "shared secret", though there is no requirement on the first party to keep a copy of this 
shared secret after giving it to the second party. The nature of the shared secret is such that it enables the second 
party to prove its association with the first party without giving away the shared secret. 

25 [0036] According to the present invention, the above-described arrangement is enabled by the use of bilinear map- 
pings as will now be explained with reference to embodiments based on modified Tate pairings (though, of course, 
other pairings such as modified Weil pairings can alternatively be used). The notations and definitions given in the 
introductory portion of the present specification also apply to what follows. 

[0037] The first party has its own secret s 1 and an associated point P on an elliptic curve. The first party makes P 
30 and the combination s^P(=R) publicly available in any suitable manner. The second party also has its own secret s 2 
and an associated point Q on the same elliptic curve as P. The second party makes Oand the combination S2Q publicly 
available in any suitable manner. It will be appreciated that reference to an element being made publicly available 
simply means making it available to third parties who have an interest and right to know the element and does not 
necessarily imply unrestricted distribution. 
35 [0038] The second party is provided with s 1 Q by the first party as the shared secret that is to be used in establishing 
to the third party the association between the second party and the first party. In order to keep the shared secret s 1 Q 
secret whilst providing the third party with the information it needs to verify the association between the first and second 
parties, the second party combines s^with Sg and makes the resulting combination s^Q public. 
[0039] Recapping so far, the elements associated with the first and second parties are: 



First party: 

Secret data: s 1 

Public data: P, fl(=s 1 P) 

Second party: 

Secret Data: s^Q 
Public data: O, s^Q, s^Q 



[0040] It is assumed that the third party reliably knows P and P(=s 1 f^, the public data of the first party. The third 
party has also received, in respect of the second party: the point a an element, herein called X, that is purportedlys 
s^O-.and an element, herein called Y t that is purportedly SgO. In order to check whether X truly does contain s 1( the 
third party checks the following : 

t(P,X)=l(R, Y) TesM 
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[0041] Because R=s^P, the above will only be valid if Xis equal to s t Y. This would prove that the second party must 
have a shared secret containing s-, which only it and the first party know (thus proving the association between the 
parties) were it not for the possibility that, since s 1 P is public, the second party could have constructed Q as mP, where 
m £ Fq, and then used m, Sg and s f Pto construct X as s i s 2 mP and Y as ^mP. In other words, if the second party 
can construct its Q from P then, it can pass Test 1 without needing to ask for a shared secret from the first party. 
[0042] It is therefore necessary for the third party to be satisfied that O has not been formed by multiplying P by m 
(it being appreciated that because the discrete logarithm problem is hard, the third party cannot discover if O of the 
form mP- though, of course, if m='\ , this will be apparent). To this end, the point Q is required to be derived from an 
identifier string ID using the map-to-point hash function because in this case even if Q happened to be equal to mP 
(which is highly unlikely), the second party would neither be aware of this nor able to separate out m and use it to 
generate an X of the form s 1 s 2 mP. It is not, of course, possible for the second party to work backwards from a value 
of m to produce the string ID that would give rise to m using the map-to-point function. 

[0043] To emphasise the fact that Q originates from an identifier, it is suffixed with "ID" in the following discussion; thus: 

0,0=", (ID) 

where the identifier string ID can be any string and typically, though not necessarily, serves to identify the second party 
in plain language. 

[0044] So now if the second party makes public the string ID rather than (or in addition to) G )D , the third party can 
use the string ID to form the point Q lD thereby re-assuring itself that the second party has not used a value m to form 
Q as mP However, the third party also needs to be able to link this legitimate O ID to the elements used in Test 1 - in 
particular, the third party needs to be sure that the element /contains the legitimate Q, D derived from ID. To this end, 
the third party must carry out a second test for which purpose the second party must provide a further quantity, herein 
called Z, that is purportedly equal to SgP. The second test is of the following form: 

t(Z t O |0 )= t(P, Y) Test 2 

[0045] If this is true } then the second party knows that Vmust contain Q| D 

[0046] The above test (Test 1 ) is now therefore adequate to prove that the second party does indeed have a shared 
secret of the form s^Q l0 which must have been provided by the first party, thereby proving there is an association 
between the first and second parties. 

[0047] Recapping, and as shown in Figure 2, the elements associated with the first and second parties 5 : 6 are: 

First party 5: 

Secret data: s 1 
Public data: P, R=s^P 

Second party 6 : 

Secret data: S2, 

Public data: ID, X^SgOjrj, V=S2Q, D , Z= ^P 

and the third party 7 carries out the following: 

Q| D = map-to-point B,(ID); 
Test 2; 
Test 1 . 

[0048] The requirements for the third party to be able to verify the association between the first and second parties 
(respectively higher-level and lower-level parties in the association hierarchy) can thus be expressed as follows: 

the first party must have a public key (P, fl)/private key s 1 key pair where R=s^P; it may be noted that P could be 
based on an identity string for the first party by using the map-to-point hash H\. 
- the second party must have an IBC public key ID / private keys s,Q lD key pair where q D ^(ID). 
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using a secret s 2 the second party must form three public verification parameters (X t Y, 2) by multiplying by 

the point Pthat is part of the public key of the first party, 
the point 0 )D of the second party, 
5 - the private part s^Q lD of the second party's IBC key pair. 

[0049] In applying the two Tests 1 and 2, the point P is the point that is part of the public key of the first (higher-level) 
party, the other part of the key being R, whilst the point O lD is the point derived from the identity of the second (lower- 
level) party using the map-to-point hash function H, and the parameters X, Y and Zare all supplied by the second party. 
w [0050] Other ways of characterising the parameters referred to above as the "verification parameters" are also pos- 
sible; for example, it may be noted that two of these parameters, namely Y(=S2Q| D ) and Z(= SgP) can each be viewed 
as part of the public key of a respective standard public/private key pair that involves the point concerned and has a 
private key of $2- 

[0051] Figure 3 illustrates the application of the foregoing to an hierarchical arrangement of two trusted authorities 

is 60 and 70 where the latter has issued a user 80 with an IBC private key. 

[0052] More particularly, Figure 3 shows a first computer entity 10, a second computer entity 20, a third computer 
entity 30 and a fourth computer entity 40 connected via a network 50, for example the Internet. The first computer 
entity 10 represents a first trusted authority 60, for example a company, the second computer entity 20 represents a 
second trusted authority 70, for example a division within the company and the third computer entity 30 represents a 

20 user 80, for example a worker within the company. The fourth computer entity 40 represents, for example, a business 
partner 90 of the company that wishes to interact with the user 80. 

[0053] The first, second, third and fourth computer entities 1 0, 20, 30, 40 are conventional program-controlled com- 
puting devices though specialised hardware may be provided to effect particular cryptographic processes. 
[0054] The first computer entity 10 and second computer entity 20 form a trusted authority hierarchy in which the 

25 first computer entity 1 0 acts as a root, or first level, trusted authority 60 and the second computer entity 20 acts as a 
second level trusted authority 70. The first-level trusted authority 60 has a standard public key (P, Rj^) I private keys 
key pair where Hr An = s^P. The second-level trusted authority 20 has an IBC public/private key pair the private key 
St- A2 of which has been generated by the first-level trusted authority 60 using its private key s : and Q^, where Qy^H^ 
(TA2) and "TA2" is an identity string associated with the second-level trusted authority 70. Table 1 sets out the keys 

30 held by the first-level and second-level trusted authorities 60 and 70. 



Table 1 



Entity 


Standard Private Key 


Standard Public key 


ID Based Private Key 


ID Based Pubic key 


First-level TA 




«flr A i(=SiP) 






Second-level TA 






S rA2= s 1°TA2 


Or A2 = H 1 (TA2) 



[0055] Once in the possession of the IBC private key S-x A2 (the "master private key") the second-level trusted au- 
thority 70 is able to produce a set of verification parameters X. Vand Zenabling a third party to verify, without further 
interaction with the first-level trusted authority and without the need for digital certificates, that the private key of the 
IBC public/private key pair of the second-level trusted authority 70 could only have been generated by the first-level 
trusted authority 60. More particularly, the second-level trusted authority 70 selects a random number rwhere r G F q ; 
the random number r is a "pseudo-master private key". Once the pseudo-master key has been selected the second- 
level trusted authority 70 generates the following public verification parameters: 

^iOta2- /1 °TA2 ancl rP 

that respectively correspond to the parameters X, Vend Zof the above-described Tests 1 and 2. 
[0056] It should be noted that even though in the above example the second-level trusted authority 70 has created 
a single pseudo-master private key, the second-level trusted authority 70 could generate any number of pseudo-master 
private keys. 

[0057] It may also be noted that the second-level trusted authority 70 is likely also to have one or more standard 
public/private key pairs. For example, the pseudo-master private key r could be used as the private key and combined 
either with P or Q, D or another point in not computed from an existing point, to form a corresponding public key. 
Alternatively, a completely separate private key Sg could be generated wheres^GF^and used with Por Q i0 or another 
point in G 1 not computed from an existing point, to form a corresponding public key. 
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[0058] The user 80 registers with the second trusted authority 70 to obtain an associated IBC private key for the 
user's public key, where the user's public key could be any form of identifier, for example the user's name 'Bob', and 
the map-to-point hash H t (Bob) of this identifier maps to a point in G A . The IBC private key provided to the user 
80 is a combination of the user's public key and the second-level trusted authority's pseudo private key i.e. the user's 
5 private key is rf^,. 

[0059] To send an encrypted message to the user 80, the third-party business partner 90 can now use the IBC public 
key of the user 80 and the public key of the second-level trusted authority 70 used by user BO; in doing this, the third 
party 90 can be sure that the user will only be able to decrypt the message if the user is known to the second-level 
trusted authority 70 since the IBC private key needed for decryption must be provided by that authority. 
w [0060] The third party 90 can also verify that the second-level trusted authority 70 (company division) is associated 
with the first-level trusted authority (company). To do this, the third party 90 uses the identity "TA2 n and public verification 
parameters rs^Qyp^ rQ^ and rPof the second-level trusted authority 70, together with the public key P, ft TA1 ( =s1 P) 
of the first-level trusted authority 60, to carry out the Tests 1 and 2 described above with respect to Figure 2. More 
particularly: 

15 

- the third party 90 first forms from th e identity string °TA2" using the map-to-point hash function H t ; 
the third party 90 carries out Test 2 by checking 

20 f(Z, 0 TA2 )=f(P,V) 

where Z= rP and V= rOj^ and is the element just formed from the identity "TA2"; this check, if passed, confirms 
that the element Y contains Oj^ 

25 - the third party 90 carries out Test 1 by checking 

t(P,X)=t(R TM ,Y) 

30 where fl^^Pand X= rs^Oj-^ this check, if passed, confirms that Xmust contain which the second-level trusted 
authority 70 must have obtained in a non-public element from the first-level trusted authority 60. 
[0061] Of course, because the second-level trusted authority has published its point Oj- A2 (or the underlying identifier 
"TA2 0 ) as well as the element rOj^ thereby providing a standard public/private key pair, it would be possible for the 
user 80 itself to produce a set of verification parameters to enable the third party 90 to verify the existence of an 

35 association between the user 80 and the second-level trusted authority 70 without needing to send a message to the 
user. To produce the required verification parameters the user 80 picks a random number r B where r B G F q and gen- 
erates the parameters: 

40 'b^BoD. r B°Bob and r B°TA2 

respectively corresponding to the parameters X, /and Z. In this case, in the Tests 1 and 2, the element P is : of course, 
replaced by and the element Ft by rO^ as is now the point associated with the higher-level party. In fact, 
where the second-level trusted authority has provided one or more other standard public/private key pairs, the public 
45 values of any such pair can be used for the elements P and R in the previously stated forms of the Tests. 

[0062] Figure 4 of the accompanying drawings illustrates for an n-level hierarchy of trusted authorities TA1 to TAn, 
a possible organisation of keys and verification parameters. In this example, each trusted authority such as authority 
TA/ (where 1 </<=n) has: 

so - a standard public/private key pair, the private key of this key pair being a secret S, and the public key being (P h 
SjPi) where Pf=H 1 (°TAi n ) that is, the map-to-point hash of the identity of the authority; 

- an IBC key pair, the public key of this key pair being the identity TA/ of the trusted authority and the secret key 
being the product of the map-to-point hash of this identity and the secret s H of the next level up trusted authority; 
two additional verification parameters SjS N Pi and S/P,-., (corresponding to X and 2 above, the verification parameter 

55 Y= SjPf already being present in the public key of the standard key pair). 

[0063] The root trusted authority TA1 simply has a standard public key(P,,s ^/private key s 1 key pair. 

[0064] With this hierarchy, it is possible to verify the association between each parent/child pairing of trusted author- 
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25 



ities in the hierarchy thereby enabling a check to be made that any non-root trusted authority, from the lowest level (or 
leaf) authority upwards, is associated with the root trusted authority. 

[0065] It will be appreciated that many variants are possible to the above described embodiments of the invention. 

5 

Claims 

1. A method of enabling a third party (90) to verify an association between a first party (60) associated with a first 
element (P), of a first algebraic group {G A ), and a second party (70) associated with a second element (O^), of 

10 a second algebraic group (G^), formed from an identifier string ("TA2") of the second party, wherein: 

there exists a computable bilinear map for the first and second elements (/^G^); 

the first party has a first secret (s^ and computes a first product (f*r A1 ) from the first secret {s A ) and the first 
element (P); 

15 - the second party has both a second secret (r). and a shared secret (sj O^) provided by the first party as the 

product of the first secret (Sj) and the second element (Oj- A2 ); 

the second party computes first (X). second (V) and third (Z) verification parameters as the product of the 
second secret (r) with said shared secret (^0^). said second element (Oj- A2 ) and said first element (P) 
respectively. 

20 

2. A method according to claim 1 , wherein the second party (70) generates a further shared secret (rO^) from the 
second secret (/) and an identifier string ("Bob") of a fourth party (80), the second party (70) passing this further 
shared secret to the fourth party (80) for use by the latter as the private key of a public/private key pair the public 
key of which is formed by the identifier string ("Bob") of the fourth party (80). 

3. A method according to claim 1 or claim 2, wherein the first and second parties are respectively parent and child 
trusted authorities (60,70) in a hierarchy of trusted authorities. 

4. A method according to any one of the preceding claims, wherein the first and second algebraic groups (G 1 Gj) 
30 are the same. 

5. A method according to any one of the preceding claims, wherein the first and second elements (fJOr^) are points 
on the same elliptic curve. 

35 6. A method of verifying an association between the first and second parties (60,70) of claim 1 by using a function^ 
providing said bilinear map; the method comprising carrying out the following operations using the non-secret data 
elements of claim 1 : 

computing said second element (Qt A2 ) from the identifier string ("TA2") of the second party; 
40 - carrying out a first check: 

p(third verification parameter (2), computed second element (0^)) 
= p(first element (F), second verification parameter ( V)) 
carrying out a second check: 

p(first element (P), first verification parameter (X)) 
45 = p (first product (/?tai). second verification parameter (Y)) 

the association between the first and second parties (60,70) being treated as verified if both checks are passed. 

7. A method according to claim 8, wherein said bilinear mapping function p is based on a Tate or Weil pairing. 

50 8. A method of verifying an association between a first party (60) associated with a first element {F) t of a first algebraic 
group (G-,), and a second party (70) associated with a second element, of a second algebraic group (Gj); the first 
and second elements (/^Q^being such that there exists a bilinear mapping p for these elements; the method 
comprising carrying out the following operations: 



55 



receiving both data indicative of the first element (P) and a first product (Rr M ) formed by the first party from 
a first secret (s^ and the first element (P); 

receiving in respect of the second party (70) both an identifier string (TA2"), and first (X), second ( V) and third 
(2) verification parameters; 
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computing the second element (Ot- a2 ) from the identifier string ("TA2 B ) of the second party (70); 
carrying out a first check: 

p(third verification parameter (2), computed second element (O^)) 
= p(first element (P), second verification parameter (V)) 
5 - carrying out a second check: 

p(first element {R), first verification parameter (X)) 

= p(first product (f?r A1 ), second verification parameter (V)) 
the association between the first and second parties (60,70) being treated as verified if both checks are passed. 

10 9. a method according to claim 8, wherein said bilinear mapping p is based on a Tate or Weil pairing. 

10. A method according to claim 8 or claim 9, wherein the first and second algebraic groups (G, GJ, are the same. 

11. A method according to any one of claims 8 to 10, wherein the first and second elements (P, Q TA2 ) are points on 
15 the same elliptic curve. 

12. Apparatus arranged to enable a third party (90) to verify an association between the apparatus (20) and a first 
party (60) that has a first secret (s t ) and is associated with a first element (P), of a first algebraic group (G^; the 
apparatus (20) being associated with a second element (Ora), of second algebraic group(G 1 ) i and the first and 

20 second elements (P, Oy A2 ) being such that there exists a bilinear mapping p for these elements; the apparatus 

(20) comprising: 

a memory for holding a second secret (r) and an identifier string (TA2") associated with the apparatus, 
means for forming the second element (Ox A2 ) from said identifier string (TA2"), 
25 - means for receiving from the first party (60) a shared secret (s^ Qy A2 ) based on said first secret (sj) and said 

second element (G^). and for storing this shared secret in the memory, 

means for computing first (X), second ( Y) and third (2) verification parameters as the product of the second 
secret (r) with said shared secret (s n Q^), said second element (Qj^) and said first element (P) respectively 
and 

30 - means for making available said identifier string ( ,, TA2") and said verification parameters (X, Y,Z) to the third 

party (90). 

13. Apparatus according to claim 12, wherein the first and second algebraic groups (G 1t G-|) are the same. 

35 14. Apparatus according to claim 12 or 13, wherein the first and second elements (P, Q^) are points on the same 
elliptic curve. 

15. Apparatus for verifying an association between a first party (60) associated with a first element (P), of a first alge- 
braic group (&,), and a second party (70) associated with a second element (O^), of a second algebraic group 

40 (Gj); the first and second elements (P : Qj- A2 ) being such that there exists a bilinear mapping p for these elements; 

the apparatus comprising: 

means for receiving both data indicative of the first element (P) and a first product (fl™) formed by the first 
party from a first secret (s^ and the first element (P): 

45 

means for receiving in respect of the second party (70) both an identifier string ( , TA2 n ), and first, second and 
third verification parameters (X, Y t Z); 

means for computing the second element (Q TA2 ) from the identifier string H^") of the second party (70); 
means for carrying out a first check: 
50 p(third verification parameter (2), computed second element (Qj^)) 

= p (first element (P) f second verification parameter (V)) 
means for carrying out a second check: 

p(first element (P), first verification parameter (X)) 

= p (first product (^r A -|), second verification parameter ( Y)) 
55 • means responsive to both checks being passed, to confirm that there exists an association between the first 

(60) and second (70) parties. 

16. Apparatus according to claim 15, wherein said bilinear mapping p is based on a Tate or Weil pairing. 
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17. Apparatus according to claim 15 or claim 1 6, wherein the first and second elements (P, OfA2) are points on the 
same elliptic curve. 

18. A computer program product arranged, when installed in computing apparatus, to condition the apparatus to be 
5 of the form set out in claim 1 2. 

19. A computer program product arranged, when installed in computing apparatus, to condition the apparatus to be 
of the form set out in claim 1 5. 

10 
15 
20 
25 
30 
35 
40 
45 
50 
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Figure 2 
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Figure 3 



16 



EP 1 378 821 A2 



TA1 



TA2 



TA(M) 



TA/ 



TAn 





SKCRET 




PUBIJC 




Standard Key Pair 




p , 








/ 

/ 

/ 








Standard Key Pair 


/ 


p 2 


i */»2 


S A \ 


IBC Key Pair 


A S] P 2 


TA2 


; Verification 
1 Parameters 




where P 2 = H l (TA2) 

A 

e 

/ 

/ 

i 




Standard Key Pair 


/ 

/ S i-1 




i s i. t p i.i 


S i-l P i-2 ; 


IBC Key Pair 


A S l-2 P i-l 


TAO-1) 


\ Verification 
! Parameters 




where P. 


.i-HifTAtf-l)) 
i 




Standard Key Pair 


/ 

/ s. 


P i 




W# i 


IBC Key Pair 


-t 

* 5 P 


TA/ 


; Verification 
J Parameters 




where />,. = //, (TAi) 
/ 

/ 

y 




Standard Key Pair 


/ 




1 5 P 
i n n 


S n P n-, I 


IBC Key Pair 


-t 

*S ,P i 


TA« 


Verification 
Parameters 




where P n = H } (TAn) 





Figure 4 



17 



